6 comments:

I think that checking for X numberof redirects is a better idea than trying to find loops because people can always forward to random pages which don't exist from a 404 page, and there would be no way to deduce that there was a loop other than by seeing that more than 10 redirects had been performed.....

Well how about being fair and using the latest IE7 to do this comparison? It seems to give up quickly enough with a page not accessible error. For that matter even IE6 did that eventually so I'm not sure what kind of testing your friend did on IE6.

It sure is fashionable to keep bashing the years old IE6 when a more secure IE7 is soon to be available.

Okay let me understand this ... You run a web security company and you don't bother to run IE for test purposes on a single machine or VM? Your security research is only for the folks who don't run IE or Windows? You don't believe in knowing the major products in your area of security expertise? For example its obvious that you don't have much knowledge about IE7 security when running in Vista. Sorry but I'm not sure how much confidence I personally would have in hiring your services ...

I wasn't aware that this was such a pressing issue. And since you personally single me out with your comments, I'll try to address them as honestly as I can.

> You run a web security company and you don't bother to run IE for test purposes on a single machine or VM?

Correct. Unless there is a really compelling need for me to do so.

> Your security research is only for the folks who don't run IE or Windows?

My research primarily focuses on web applications, not necessarily browser security (though there is overlap). If anyone wants to test my results on their own systems (including IE and Windows), I'd love to hear about it.

> You don't believe in knowing the major products in your area of security expertise?

Be reasonable. No web application expert can be expected to know everything about everything all the time. I have my focus area (as most do) and I make it known where the gaps are. Again, if people want to share their experiences, I'm all ears and not opposed to learning something.

> For example its obvious that you don't have much knowledge about IE7 security when running in Vista.

Right you are and I make that fact known.

> Sorry but I'm not sure how much confidence I personally would have in hiring your services ...

That's your perogative of course. Though we typically get hired based on our web application security assessment capability. Not our knowledge of IE 7's handling of infinite redirects. If thats the type of vendor you need, use them.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!